Mifare classic 1k: keys found in 5 seconds with the proxmark3 / 2023-08-16

Koos van den Hout

2023-08-16 Mifare classic 1k: keys found in 5 seconds with the proxmark3
Somebody gave me a tag 'once used to access the bicycle parking at work' because of my interest in RFID tags. So I checked the tag with the proxmark3 and the proxmark3 had no trouble finding the keys and getting full access in very little time.

I made sure that these tags are no longer used because otherwise I had a good argument to replace that system fast! And they are indeed deprecated, which also means I can write about my experiences without causing new risks.

It's already known the mifare classic is insecure, no news here. But seeing how fast a current proxmark3 can find the keys and dump the contents of the card with the full access confirms this insecurity again.

First I tried seeing what kind of tag this was: 
[usb|script] pm3 --> hf search

[+]  UID: 6A BB 43 5C 
[+] ATQA: 00 04
[+]  SAK: 08 [2]
[+] Possible types:
[+]    MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb|script] pm3 --> hf mf list
[=] downloading tracelog data from device
[+] Recorded activity (trace len = 68 bytes)
[=] start = start of start frame end = end of frame. src = source of transfer
[=] ISO14443A - all times are in carrier periods (1/13.56MHz)

      Start |        End | Src | Data (! denotes parity error)                  
                         | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
          0 |       2048 | Rdr |0d  37  21! 92  f2                                                       |  !! | 
      32544 |      34592 | Rdr |5d  37  21! 71! 71                                                       |  !! | 
      35808 |      36064 | Rdr |a1(1)                                                                    |     | 
      37088 |      37344 | Rdr |a3(1)                                                                    |     | 
      38368 |      38624 | Rdr |a5(1)                                                                    |     | INCR(0)
      39648 |      39904 | Rdr |a7(1)                                                                    |     |
So far I've read the public information the card gives to any compatible NFC reader.

My next step was to try to find keys, and this happened fast. Note proxmark3 finds all keys for this card in 5 seconds. I use the hf mf chk command to check for keys and give options --1k to assume a 1k card and --dump to dump the found keys for further use. 
[usb|script] pm3 --> hf mf chk --1k --dump
[=] Start check for keys...
[=] .................................
[=] time in checkkeys 5 seconds

[=] testing to read key B...

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  001 | 007 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  002 | 011 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  003 | 015 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  004 | 019 | FFFFFFFFFFFF | 1 | FFFFFFFFFFFF | 1
[+]  005 | 023 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  006 | 027 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  007 | 031 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  008 | 035 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  009 | 039 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  010 | 043 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  011 | 047 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  012 | 051 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  013 | 055 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  014 | 059 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+]  015 | 063 | 6A1987C40A21 | 1 | 7F33625BC129 | 1
[+] -----+-----+--------------+---+--------------+----
[+] ( 0:Failed / 1:Success )

[+] Generating binary key file
[+] Found keys have been dumped to /home/koos/hf-mf-6ABB435C-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
Next we can use the keys dump file to read the whole card: 
[usb|script] pm3 --> hf mf dump
[=] Using... hf-mf-6ABB435C-key.bin
[=] Reading sector access bits...
[=] .................
[+] Finished reading sector access bits
[=] Dumping all blocks from card...
[+] successfully read block  0 of sector  0.
[+] successfully read block  1 of sector  0.
[+] successfully read block  2 of sector  0.
[+] successfully read block  3 of sector  0.
[+] successfully read block  0 of sector  1.
[+] successfully read block  1 of sector  1.
[+] successfully read block  2 of sector  1.
[+] successfully read block  3 of sector  1.
[+] successfully read block  0 of sector  2.
[+] successfully read block  1 of sector  2.
[+] successfully read block  2 of sector  2.
[+] successfully read block  3 of sector  2.
[+] successfully read block  0 of sector  3.
[+] successfully read block  1 of sector  3.
[+] successfully read block  2 of sector  3.
[+] successfully read block  3 of sector  3.
[+] successfully read block  0 of sector  4.
[+] successfully read block  1 of sector  4.
[+] successfully read block  2 of sector  4.
[+] successfully read block  3 of sector  4.
[+] successfully read block  0 of sector  5.
[+] successfully read block  1 of sector  5.
[+] successfully read block  2 of sector  5.
[+] successfully read block  3 of sector  5.
[+] successfully read block  0 of sector  6.
[+] successfully read block  1 of sector  6.
[+] successfully read block  2 of sector  6.
[+] successfully read block  3 of sector  6.
[+] successfully read block  0 of sector  7.
[+] successfully read block  1 of sector  7.
[+] successfully read block  2 of sector  7.
[+] successfully read block  3 of sector  7.
[+] successfully read block  0 of sector  8.
[+] successfully read block  1 of sector  8.
[+] successfully read block  2 of sector  8.
[+] successfully read block  3 of sector  8.
[+] successfully read block  0 of sector  9.
[+] successfully read block  1 of sector  9.
[+] successfully read block  2 of sector  9.
[+] successfully read block  3 of sector  9.
[+] successfully read block  0 of sector 10.
[+] successfully read block  1 of sector 10.
[+] successfully read block  2 of sector 10.
[+] successfully read block  3 of sector 10.
[+] successfully read block  0 of sector 11.
[+] successfully read block  1 of sector 11.
[+] successfully read block  2 of sector 11.
[+] successfully read block  3 of sector 11.
[+] successfully read block  0 of sector 12.
[+] successfully read block  1 of sector 12.
[+] successfully read block  2 of sector 12.
[+] successfully read block  3 of sector 12.
[+] successfully read block  0 of sector 13.
[+] successfully read block  1 of sector 13.
[+] successfully read block  2 of sector 13.
[+] successfully read block  3 of sector 13.
[+] successfully read block  0 of sector 14.
[+] successfully read block  1 of sector 14.
[+] successfully read block  2 of sector 14.
[+] successfully read block  3 of sector 14.
[+] successfully read block  0 of sector 15.
[+] successfully read block  1 of sector 15.
[+] successfully read block  2 of sector 15.
[+] successfully read block  3 of sector 15.

[+] Succeeded in dumping all blocks

[+] time: 7 seconds

[+] saved 1024 bytes to binary file /home/koos/hf-mf-6ABB435C-dump.bin
[+] saved 64 blocks to text file /home/koos/hf-mf-6ABB435C-dump.eml
[+] saved to json file /home/koos/hf-mf-6ABB435C-dump.json
Tags: , ,

IPv6 check

Running test...

Archive

Browse the recent archive:
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.011191 seconds.